]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1e6711f)
tests: add dcerpc test per #3109
authorTravis Green <travis@travisgreen.net>
Mon, 14 Oct 2019 16:03:10 +0000 (09:03 -0700)
committerVictor Julien <victor@inliniac.net>
Mon, 13 Jun 2022 06:23:23 +0000 (08:23 +0200)
tests/dcerpc/dcerpc-3109/README [new file with mode: 0644] patch | blob
tests/dcerpc/dcerpc-3109/dcerpc.rules [new file with mode: 0644] patch | blob
tests/dcerpc/dcerpc-3109/input.pcap [new file with mode: 0644] patch | blob
tests/dcerpc/dcerpc-3109/test.yaml [new file with mode: 0644] patch | blob

diff --git a/tests/dcerpc/dcerpc-3109/README b/tests/dcerpc/dcerpc-3109/README
new file mode 100644 (file)
index 0000000..7e9d7e6
--- /dev/null
+++ b/tests/dcerpc/dcerpc-3109/README
@@ -0,0 +1,11 @@
+Description
+===========
+This test ensures that dcerpc keywords alert as expected and that bug 3109 is no longer valid.
+
+PCAP
+====
+PCAP comes from https://redmine.openinfosecfoundation.org/issues/3109
+
+Reported by
+===========
+Travis Green <travis@travisgreen.net>
diff --git a/tests/dcerpc/dcerpc-3109/dcerpc.rules b/tests/dcerpc/dcerpc-3109/dcerpc.rules
new file mode 100644 (file)
index 0000000..9460923
--- /dev/null
+++ b/tests/dcerpc/dcerpc-3109/dcerpc.rules
@@ -0,0 +1,4 @@
+alert tcp any any -> any any (msg:"TGI LATERAL DCERPC ATSVC v1.0 Bind UUID 1ff70682-0a51-30e8-076d-740be8cee98b"; flow:established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b,any_frag; reference:url,401trg.com/an-introduction-to-smb-for-network-security-analysts/; classtype:attempted-admin; sid:2610115; rev:1; metadata:notworking;)
+
+# example of a rule working without dcerpc:
+alert tcp any any -> any any (msg:"TGI LATERAL DCERPC ATSVC v1.0 Bind UUID"; flow:established; content:"|82 06 f7 1f 51 0a e8 30 07 6d 74 0b e8 ce e9 8b|"; reference:url,401trg.com/an-introduction-to-smb-for-network-security-analysts/; classtype:attempted-admin; sid:2610113; rev:1;)
diff --git a/tests/dcerpc/dcerpc-3109/input.pcap b/tests/dcerpc/dcerpc-3109/input.pcap
new file mode 100644 (file)
index 0000000..014c3dc
Binary files /dev/null and b/tests/dcerpc/dcerpc-3109/input.pcap differ
diff --git a/tests/dcerpc/dcerpc-3109/test.yaml b/tests/dcerpc/dcerpc-3109/test.yaml
new file mode 100644 (file)
index 0000000..a9a5efc
--- /dev/null
+++ b/tests/dcerpc/dcerpc-3109/test.yaml
@@ -0,0 +1,24 @@
+requires:
+  min-version: 6.0
+
+args:
+  - -k none --set stream.midstream=true
+
+checks:
+
+  - filter:
+      count: 2
+      match:
+        event_type: smb
+        smb.dcerpc.call_id: 2
+
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 2610115
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2610113
Mirror of https://github.com/OISF/suricata-verify.git